Configuring EVPN
The configuration of EVPN revolves around the selection of the border gateway nodes and the configuration of associated VNIs for the VRFs.
In addition, the fabric automation takes care of transparently performing various configurations, which can be verified with new show commands or with new parameters of existing commands, as shown in the examples below.
Configuring the Border Gateways
The first step involves configuring the vRouters on at least two nodes across two pods to make them border gateways. That is achieved with the vrouter-create command using the evpn-border/no-evpn-border parameter. In case of an existing vRouter, the vrouter-modify command can be used instead.
For example:
CLI (network-admin@switch) > vrouter-create name vRouter1 fabric-comm enable location border-switch router-type hardware evpn-border bgp-as 5200 router-id 10.30.30.30
Then the vrouter-show command can be used to verify the current EVPN parameter configuration:
CLI (network-admin@switch) > vrouter-show name vRouter1 format all layout vertical
id: c00029d:0
name: vRouter1
type: vrouter
scope: fabric
vnet:
location: switch
zone-id: c00029d:1
router-type: hardware
evpn-border: enable
The second step is for the user to configure an MP BGP neighbor with the l2vpn-evpn parameter to point to an external EVPN border gateway:
CLI (network-admin@switch) > vrouter-bgp-add vrouter-name vRouter1 neighbor 190.12.1.3 remote-as 65012 ebgp-multihop 3 update-source 190.11.1.3 multi-protocol l2vpn-evpn
This configuration enables the use of the standard EVPN NLRI, which is carried using BGP Multiprotocol Extensions with an Address Family Identifier (AFI) of 25 (L2VPN) and a Subsequent Address Family Identifier (SAFI) of 70 (EVPN).
Configuring L3 VNIs
To uniquely identify VRF instances with EVPN it is necessary to specify a new l3-vni parameter during creation (or modification), like so:
CLI (network-admin@switch) > vlan-create id 1000 auto-vxlan 101000 scope fabric ports none
CLI (network-admin@switch) > vrf-create name VRF1 l3-vni 101000
As explained in more detail in the Configuring VXLAN chapter, subnets can be mapped to VRFs with the subnet-create command, for example:
CLI (network-admin@switch) > vlan-create id 12 auto-vxlan 500012 scope fabric
CLI (network-admin@switch) > subnet-create name subnet-vxlan-500012 scope fabric vxlan 500012 network 172.10.2.0/24 anycast-gw-ip 172.10.2.1 vrf VRF1
L3 VNIs also enable a new forwarding mode (see the two hop model described above), which is used for inter-pod VXLAN routing.
Once configured, you can check the VRFs with the vrf-show command:
CLI (network-admin@switch) > vrf-show format name,vnet,anycast-mac,l3-vni,active,hw-router-mac,hw-vrid,flags,enable
name vnet anycast-mac l3-vni active hw-router-mac hw-vrid flags enable
---- ---- ----------------- ------ ------ ----------------- ------- ------ ------
VRF1 0:0 64:0e:94:40:00:02 101000 yes 66:0e:94:48:68:a7 1 subnet yes
Note that the user doesn't need to confgure vrf-gw and vrf-gw2 with EVPN except on border gateways connected to DC gateways for North South traffic. Traffic reaches the border gateways with the default route described in Figure 9-3 above.
Configuring and Displaying MAC Mobility
MAC mobility is handled automatically by the EVPN control plane. However, it is important to deal with duplicate MAC address scenarios appropriately. Therefore, some special parameters are available to help with the remediation in such scenarios, as explained in the About MAC Mobility with EVPN section above.
You can (optionally) configure the three duplicate MAC address parameters on a per vRouter basis with the following command:
CLI (network-admin@switch) > vrouter-create name <vr-name> evpn-dup-addr-max-moves <count> evpn-dup-addr-moves-duration <seconds> evpn-dup-addr-freeze <seconds>
When not specified, the default values are:
- evpn-dup-addr-max-moves: 5
- evpn-dup-addr-moves-duration: 180
- evpn-dup-addr-freeze: 180
You can also modify those parameters with the vrouter-modify command.
For example, let’s consider the case in which those three parameters are modified from the default values and are configured to 8, 401 and 301, respectively. You can display the new values with the following condensed command:
CLI (network-admin@switch*) > vrouter-show format name,evpn-border,evpn-dup-addr-max-moves,evpn-dup-addr-moves-duration,evpn-dup-addr-freeze,evpn-border
name evpn-border evpn-dup-addr-max-moves(s) evpn-dup-addr-moves-duration(s) evpn-dup-addr-freeze
-------- ----------- -------------------------- ------------------------------- --------------------
vRouter1 enable 8 401 301
vRouter1 enable 8 401 301
In this case, if 8 MAC moves are detected in a 401 second time window, the duplicate MAC address entry is frozen for 301 seconds to facilitate the operator in the remediation. The frozen entry and the corresponding sequence number received before the 8th MAC move can be displayed with the following command:
CLI (network-admin@switch) > vrouter-evpn-duplicate-mac-show
switch vrouter-name host-mac seq
------------ --------------- ----------------- ---
switch vRouter1 00:12:c0:80:33:6a 7
This output will clear after dup-addr-freeze (180, by default) seconds have elapsed.
Furthermore, the total MAC move count can be periodically checked in the MM (MAC Move) field with this command:
CLI (network-admin@switch) > switch * vrouter-evpn-bgp-routes-show route-type 2 format vrouter-name,rd,vni,mac,route-type,next-hop,extended-community
switch vrouter-name rd vni mac route-type next-hop path extended-community
------- ------------ --------- ------ ----------------- ---------- --------- ----- ------------------------
switch vr2 2.2.0.1:2 100100 2e:d7:27:b9:11:6d 2 20.0.12.1 66001 RT:465:100100 ET:8 MM:48
switch1 vr1 2.2.0.1:2 100100 2e:d7:27:b9:11:6d 2 20.0.12.1 66001 RT:465:100100 ET:8 MM:48
In addition, typically for troubleshooting purposes, you can see each MAC move being notified and logged on a node by using the following command and looking for the string action MAC_MOVE:
CLI (network-admin@switch) > vrouter-log-show vrouter-name vr2 protocol evpnsnoop
log-message
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------
<snip>
2021-05-21,05:24:26.075.:rs_msg.c:624:rs_msg_vport_update_event_cb L2_UPDATE mac: 2e:d7:27:b9:11:6d, log_type l2-modify caller cluster-status: vxlan 100100, vlan 100 reason:modify,evpn-mac-move owner_flags 0x0, over_
tunnel 1791, 2e:d7:27:b9:11:6d action MAC_MOVE ip 10.0.100.30
<snip>
which shows the MAC move happening due to a certain host configured with a certain MAC and IP address pair. That information can be compared to the same command output obtained on the other node where the address duplication is also happening.